Possible virus??

A lot of people in our company have been receiving a suspicious email lately. I haven't been able to find any information about this message at all, though. The message has no from address, the subject is 'NOTICE: mail delivery status', the body is empty and there is an attachment called NAI_Alert.htm. We have Norton 8.1, mostly Windows 98 machines, everyone uses Outlook 2000 and a Win NT 4 server. Any ideas on what this is or how to stop the messages from coming. The first reported time this message was received was about three weeks ago. Since then more and more people have been receiving it.

NAI alert is a Network Associates AntiVirus Software alert. A legitimate email of this type would indicate that a message contained a virus and that the virus was removed from the email. The file NAI_Alert.htm should provide details as to which virus, and when and where it was detected. If you want to see where the mesasges are coming from, open one of the emails on a non-critical machine protected with the latest antivirus updates etc, and go in to the view options in Outlook. Choose the "View Internet Header" option, which will display the header information for the email. That should indicate the originating SMTP server from which the email arrived. If there is no information in the header, then it likely came from somewhere within your organization. Check to see if the server has a NEtwork ASsociates antivirus product on it. If you get no headers, you'll need to look in your Exchange server logs (try sort by date/time and match up with one of the recieved messages). The server logs should again indicate from where and exactly when the message was delivered and to whom. The difference in the Exchange logs is that if the mail originated from within your organization, it will be able to tell you that, as well as tell you the ip address and DNS info about the originating server even if the sender has masked the headers.

Important to note here, that many recent virii use delivery status messages to actually spread the virii as email worms. They send alerts, undeliverable and failed status messages with attached files named alert.txt etc (file names used by popular email server antivirus products) and when or if you open that file, it is the actual virus paylod. That's why I suggest you open the message on a spare computer with the latest antivirus software. If it's a legitimate email from somewhere, the htm file should contain info on the virus, and if it's not, then the htm file probably IS a virus, or malicious html code that redirects your computer to a direct download of the virus. Rather than open the file, you may want to use save as, then "Open With" it with notepad.exe and look at the code to see whether there is an actual mesage in there or some kind of script or redirect. That should give you some starting points to get you going.

As far as stopping them, you can create a server filter/rule that auto-deletes all messages containing attachments called NAI_Alert.htm before delivery to user mailboxes.

That is not a legit attachment. Internal or External it's obviously a worm. Check out: http://www.gfi.com/mailsecurity/ if you'd like to prevent future issues with worms and viruses within your network. The idea Focusyn suggested above is okay to prevent that one specific attachment, however what about tomorrow's threats and next weeks? Trying to prevent attacks one at a time manually isn't going to work in a large network enviroment. You need a program that will handle that for you, update for you, and even give you reports to show you status.

No 'From' address and an HTML link?
My guess is that this file contains a link to a remote site to install some sort of trojan. If you have any Exchnage like server; there are many tools for you within that server to eliminate or prevent such maillings from appearing..

Thanks everyone. The messages have stopped, for now. I didn't get a chance to look into the source code of the htm file. Because we use Norton, I will assume it is a trojan off some sort. I'll post more when I know more.

astaec, many viruses, especially worms generate random file names. This is important to prevent manually detection. People that just google the filename and/or check a vendor's website are better off going to multiple sites and scanning the file. Don't relie on a filename for detection.

OK, the message has stopped. I spoke with my ISP and they do have MacAfee but said these messages shouldn't get through to us. I even looked at the source for the message and found nothing interesting at all. I guess it was nothing.

Featured Post

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Phishing emails are a popular malware delivery vehicle for attack. While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …

Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message. In the To field, type your recipient's fax number @efaxsend.com.
You can even send a secure international fax — just include t…

Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…